It’s a new year in privacy, and as usual, there are many things to watch. Here are 5 burning questions:
5. What will be the impact of the U.S. state privacy laws taking effect? The consumer privacy laws of California, Colorado, Connecticut, Utah, and Virginia all take effect this year. Regulations are in process for several laws, including CA and CO.
Enforcement of the CCPA by the new California Privacy Protection Agency (CPPA) will commence this year. And the CCPA now applies to employee data. Exciting times!
4. Will there be new U.S. state privacy laws? There were a number of bills in the states in 2022, but I think that the states took a pause because of the federal privacy bill, the American Data Privacy and Protection Act (ADPPA). Now that the ADPPA has fizzed out, the states might resume their onward march.
New bills have been introduced in New York, Kentucky, and Tennessee. More will likely follow.
3. Will India finally pass a data privacy law? Maybe. Every year is purportedly the year. And this has happened year after year. I feel like Charlie Brown with the football on this one.
2. What will happen in the EU? Last year, a new agreement was reached to patch cross-border data transfer after Schrems II: Schrems Strikes Back. This new arrangement, the Transatlantic Data Transfer Framework, makes changes in the U.S. surveillance regime via executive order, and it revives the EU-US Privacy Shield. It is currently under review by the European Commission. Once finalized, it will surely be challenged by Schrems, and we’ll see what the European Court of Justice thinks in Schrems III: The Return of Schrems.
In 2022, the UK said it would ditch its GDPR after enacting it a few years prior in an almost verbatim version to the EU’s GDPR. Noise about this seems to have quieted down given all the government upheaval. Maybe the UK has bigger fish to fry. Or, maybe we’ll see something this year.
Will this be the year we finally see the ePrivacy Regulation enacted? It’s like waiting for Godot on this one.
Also, watch out for the AI Act, which might be enacted this year.
1. Will the U.S. pass a comprehensive data privacy law? Short answer: No.
Last year, Congress got fairly close to passing a comprehensive privacy law (the ADPPA). But it preempted state law, and it predictably met opposition from California policymakers who didn’t want to curtail the power of their state and was quietly killed.
I think that if a law is good, it doesn’t need preemption, but not many share my view – even many privacy advocates. It seems to be the new ineluctable truth that preemption must be the political price for a comprehensive law, but just a year ago, it was the ineluctable truth that a law couldn’t have a private right of action.
So, what will happen this year? Nothing. Although President Biden recently stated he wanted a law, I don’t think that this will move the needle. The U.S. House will be a clown show. I expect nothing serious to come out of the House this year.
Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 150 courses. He is also the co-organizer of the Privacy + Security Forum events for privacy professionals.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.
